New Explanatory Notes on Voice Recognition Systems
11 maggio 2017 – On 20 April 2017, the Swiss Federal Data Protection and Information Commissioner (Commissioner) published explanatory notes on voice recognition systems (Explanatory Notes, available in German, French and Italian).
Voice recognition systems are biometric procedures allowing identification of persons by means of their voices. The new Explanatory Notes reflect the opinion of the Commissioner and thus serve as practical guidance, but do not constitute binding Swiss law.
According to the Explanatory Notes, the processing of personal data in connection with the use of voice recognition systems must be limited to what is necessary and suitable in order to fulfil the purpose of the data processing. In addition, data security must be ensured in order to prevent unauthorised access.
The Commissioner is of the opinion that central storage of biometric data is disproportionate in the area of recreational activities: as the data subjects are physically present, they can identify themselves with a token (e.g. Smartcard). Central storage is thus not necessary.
In contrast, the Commissioner deems central storage of biometric data more likely to be necessary and thus lawful with respect to the protection of confidential data, in particular in the telecommunications and banking sector. This is especially the case with respect to business applications which provide for remote authentication (e.g. by phone or online). According to the Explanatory Notes, the data subjects concerned must be comprehensively informed beforehand and must have given their prior voluntary and express consent to the data processing.
The Commissioner does not explain why he deems express consent of the data subject a necessary prerequisite. This opinion is highly debatable, as from a data protection law point of view, consent of the data subject is not necessary as long as the provisions of the Swiss Federal Data Protection Act (DPA) and its accompanying ordinance are complied with, i.e. in particular the general data protection principles. As a side note, consent of the data subject may be necessary based on other grounds, such as the Swiss Federal Penal Code. In particular and unless an exception applies, consent is necessary based on art. 179ter para. 1 of the Swiss Federal Penal Code in case the voice recognition system involves the recording of a conversation. However, even in this case implied consent of the data subject whose voice is being recorded is likely to be sufficient (although voice prints may qualify as sensitive personal data: art. 4 para. 5 DPA – which requires consent to be express in case of processing of sensitive personal data – only applies to consent requirements based on the DPA).
According to the Explanatory Notes, the Commissioner is of the opinion that an alternative to the biometric recognition system needs to be offered. This criterion seems very restrictive and it is doubtful whether it has a legal basis in the DPA.
Finally, according to the Commissioner, centrally stored data may only be used for the specific verification in question, may not be disclosed to third parties and must be protected by stringent data security measures. The Commissioner’s view according to which disclosure of voiceprints to third parties shall be generally prohibited goes too far. Disclosure of biometric data to third parties must in any case be lawful if it is justified by the express consent of the data subject, an overriding private or public interest or by law (cf. art. 12 para. 2 let. c and art. 13 para. 1 DPA).